Lets Encypt Broken ?
Moderator: Project members
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Lets Encypt Broken ?
Hello
Unable to setup Lets Encrypt on FileZilla Server 1.7.2
Environment: Windows Server 2019 Std Edition, fully patched, IIS internal web server
Web server can be reached externally on port 80 and 443
Followed procedures as per docs.
Falls over when trying to create account with error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443
On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org
See attached screenshots
Any ideas welcome
Thank you.
Unable to setup Lets Encrypt on FileZilla Server 1.7.2
Environment: Windows Server 2019 Std Edition, fully patched, IIS internal web server
Web server can be reached externally on port 80 and 443
Followed procedures as per docs.
Falls over when trying to create account with error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443
On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org
See attached screenshots
Any ideas welcome
Thank you.
- Attachments
-
- FileZilla-LetsEncrypt-4.JPG (68.99 KiB) Viewed 2770 times
-
- FileZilla-LetsEncrypt-3.JPG (23.72 KiB) Viewed 2770 times
-
- FileZilla-LetsEncrypt-2.JPG (217.5 KiB) Viewed 2770 times
-
- FileZilla-LetsEncrypt-1.JPG (76.5 KiB) Viewed 2770 times
Re: Lets Encypt Broken ?
Cannot reproduce.
Are you sure there's nothing blocking outgoing connections from the server's service like, say, a firewall? What do the complete server's log say?
Are you sure there's nothing blocking outgoing connections from the server's service like, say, a firewall? What do the complete server's log say?
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
Does this not confirm the server can reach Lets Encrypt ?
On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org
See screenshot above
There are no outgoing ports blocked
Just tried again, same failure , nothing in server logs
On the same system can browse without problem to URL https://acme-staging-v02.api.letsencrypt.org
See screenshot above
There are no outgoing ports blocked
Just tried again, same failure , nothing in server logs
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
OK just tried this on a completely different brand new Windows 2019 server
And new install of Filezilla server, 1.72
On a completely different network
Exact same failure.
Has anyone actually got this working on Windows 2019 and Filezilla server 1.72 ?
And new install of Filezilla server, 1.72
On a completely different network
Exact same failure.
Has anyone actually got this working on Windows 2019 and Filezilla server 1.72 ?
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
Filezilla server logs :
2023-07-11T16:19:25.436Z == [FTP Server] Listening on [::]:21.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on 127.0.0.1:14148.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on [::1]:14148.
2023-07-11T16:19:28.577Z == [Administration Server] Administration client with ID 1 connected from 127.0.0.1:63441
2023-07-11T16:20:09.946Z !! [ACME] Error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.
2023-07-11T16:20:09.946Z !! [Administration Server] Error processing get_acme_terms_of_service: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.
2023-07-11T16:19:25.436Z == [FTP Server] Listening on [::]:21.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on 127.0.0.1:14148.
2023-07-11T16:19:25.436Z == [Administration Server] Listening on [::1]:14148.
2023-07-11T16:19:28.577Z == [Administration Server] Administration client with ID 1 connected from 127.0.0.1:63441
2023-07-11T16:20:09.946Z !! [ACME] Error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.
2023-07-11T16:20:09.946Z !! [Administration Server] Error processing get_acme_terms_of_service: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-staging-v02.api.letsencrypt.org:443.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
OK just tested on Windows 10, same network, work fine.
So the issue is that it seems not working on Windows 2019
So the issue is that it seems not working on Windows 2019
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
Just to be clear, we are using Filezilla server 1.7.2
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
Ok turned on DEBUG logging and got this:
WINDOWS 2019
===============
2023-07-11T17:04:00.335Z DI [ACME] Getting terms of service...
2023-07-11T17:04:00.335Z DD [ACME/HTTP Client] Connecting to acme-v02.api.letsencrypt.org:443
2023-07-11T17:04:00.597Z DD [ACME/HTTP Client] Certificate is trusted: no
2023-07-11T17:04:00.597Z DW [ACME/HTTP Client] ECONNABORTED - Connection aborted. Could not connect to host acme-v02.api.letsencrypt.org:443.
WINDOWS 10
============
2023-07-11T17:09:01.172Z DI [ACME] Getting terms of service...
2023-07-11T17:09:01.172Z DD [ACME/HTTP Client] Connecting to acme-staging-v02.api.letsencrypt.org:443
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] Certificate is trusted: yes
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] ***BEGIN REQUEST***
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] GET /directory HTTP/1.1
WINDOWS 2019
===============
2023-07-11T17:04:00.335Z DI [ACME] Getting terms of service...
2023-07-11T17:04:00.335Z DD [ACME/HTTP Client] Connecting to acme-v02.api.letsencrypt.org:443
2023-07-11T17:04:00.597Z DD [ACME/HTTP Client] Certificate is trusted: no
2023-07-11T17:04:00.597Z DW [ACME/HTTP Client] ECONNABORTED - Connection aborted. Could not connect to host acme-v02.api.letsencrypt.org:443.
WINDOWS 10
============
2023-07-11T17:09:01.172Z DI [ACME] Getting terms of service...
2023-07-11T17:09:01.172Z DD [ACME/HTTP Client] Connecting to acme-staging-v02.api.letsencrypt.org:443
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] Certificate is trusted: yes
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] ***BEGIN REQUEST***
2023-07-11T17:09:01.475Z DD [ACME/HTTP Client] GET /directory HTTP/1.1
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
So it seems the SSL R5 certificate at host acme-v02.api.letsencrypt.org is TRUSTED by Filezilla Server 1.7.2 on Windows 10
But is NOT trusted by Filezilla Server 1.7.2 on Windows 2019
NOTE: when using Edge browser on the same Windows 2019 server, the certificate at host acme-v02.api.letsencrypt.org is TRUSTED
Weird to say the least...........
But is NOT trusted by Filezilla Server 1.7.2 on Windows 2019
NOTE: when using Edge browser on the same Windows 2019 server, the certificate at host acme-v02.api.letsencrypt.org is TRUSTED
Weird to say the least...........
Re: Lets Encypt Broken ?
Since some time Edge doesn't use the operating system trust store, but ships its own: https://learn.microsoft.com/en-us/deplo ... rification
Your OS trust store, which FileZilla Server uses, must be updated, since it doesn't recognize the current Let's Encrypt server's certificate. Do you have any updates pending, according to Windows Update?
Your OS trust store, which FileZilla Server uses, must be updated, since it doesn't recognize the current Let's Encrypt server's certificate. Do you have any updates pending, according to Windows Update?
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
@oibaf , that was a great tip !
Thanks very much.
Didn't know that about Edge, checked the Windows Certificate Store and sure enough the Trusted Root Certification Authorities store contained very few certificates.
AFAWK Windows should pull additional certs to this store on demand, but this did not happen with Filezilla.
After manually installing the ISRG Root certs , the account creation process went smoothly.
Then we successfully installed a new LetsEncrypt cert.
However when we try and connect to the server using Filezilla client ( v.3.65 ) it says the certificate is unknown and ask to confirm ( see screenshot )
The whole idea was to avoid that confirmation dialogue box, we thought that only happed with a self signed cert ?
Thanks very much.
Didn't know that about Edge, checked the Windows Certificate Store and sure enough the Trusted Root Certification Authorities store contained very few certificates.
AFAWK Windows should pull additional certs to this store on demand, but this did not happen with Filezilla.
After manually installing the ISRG Root certs , the account creation process went smoothly.
Then we successfully installed a new LetsEncrypt cert.
However when we try and connect to the server using Filezilla client ( v.3.65 ) it says the certificate is unknown and ask to confirm ( see screenshot )
The whole idea was to avoid that confirmation dialogue box, we thought that only happed with a self signed cert ?
- Attachments
-
- Certificate-Message-Unkown-Cert.jpg (111.72 KiB) Viewed 2689 times
Re: Lets Encypt Broken ?
In the FileZilla Client's menu: Edit -> Settings -> Connection -> Use system trust store
Re: Lets Encypt Broken ?
By default the client doesn't use the system trust store, but instead uses user-guided TOFU. You can enable use of the system trust store in the settings dialog.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2023-07-10 23:54
- First name: Adrian
- Last name: Blazer
Re: Lets Encypt Broken ?
@oibaf PERFECT !!
All working very well
Thank you to everyone for the help and support, highly appreciated
Perhaps the post title needs changed to "LetsEncrypt Working Perectly........."